-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit c12bbce
Showing
755 changed files
with
96,915 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| INFLUX_URL=http://localhost:8086 | ||
| INFLUX_ORG=org | ||
| INFLUX_BUCKET=bucket | ||
| INFLUX_TOKEN=token | ||
|
|
||
| RABBITMQ_HOST=localhost | ||
| RABBITMQ_PORT=5672 | ||
| RABBITMQ_USER=rabbitmq | ||
| RABBITMQ_PASS=rabbitmq | ||
| RABBITMQ_CONNECTION_RETRIES=1 | ||
|
|
||
| # the application communicates with ripe. If you are doing more than 1000 scans per day, you should | ||
| # have a look right here: https://stat.ripe.net/docs/data_api (Rules of Usage) | ||
| RIPE_SOURCE_APP=ripe_source_app | ||
|
|
||
| REDIS_HOST=localhost:6379 | ||
|
|
||
| LOG_LEVEL=info # debug, info, warning, error | ||
|
|
||
| GOMEMLIMIT=750MiB | ||
|
|
||
| SLACK_WEBHOOK_URL="" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| .env | ||
| config.yaml | ||
| /.idea/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,198 @@ | ||
| image: golang:1.22.5 | ||
|
|
||
| variables: | ||
| GIT_SUBMODULE_STRATEGY: recursive | ||
|
|
||
| stages: | ||
| - test | ||
| - tag | ||
| - build | ||
| - container-scanning | ||
| - publish | ||
| - sign | ||
|
|
||
| secret-scanning: | ||
| image: ghcr.io/gitleaks/gitleaks:v8.18.2@sha256:8bd05f793efe84e7bbba36c4e138080b88f6acb77f3865835024eb7bef30c41f | ||
| stage: test | ||
| script: gitleaks -s . detect | ||
|
|
||
| static-application-security-testing: | ||
| stage: test | ||
| image: golangci/golangci-lint:v1.58.1@sha256:5bef7ef61a4e2529b39d4e39de3564d82c38291636cdb9b79a656cedb09ab175 | ||
| script: | ||
| - golangci-lint run --timeout 5m | ||
|
|
||
| software-composition-analysis: | ||
| stage: test | ||
| image: golang:1.22.5 | ||
| script: | ||
| - go install golang.org/x/vuln/cmd/govulncheck@latest | ||
| - govulncheck ./... | ||
|
|
||
| gotest: | ||
| stage: test | ||
| script: | ||
| - go test -v -coverpkg=./... -coverprofile=profile.cov ./... | ||
| - go tool cover -func profile.cov | ||
|
|
||
| license-compliance: | ||
| stage: test | ||
| image: ruby:3.3.1-alpine3.19@sha256:92047b87f9a122a10b22fba43ad647969a5c1ca43da663abebf5718dce1ab6a0 | ||
| script: | ||
| - gem install license_finder | ||
| - wget https://dl.google.com/go/go1.22.3.linux-amd64.tar.gz | ||
| - echo "8920ea521bad8f6b7bc377b4824982e011c19af27df88a815e3586ea895f1b36 go1.22.3.linux-amd64.tar.gz" | sha256sum -c - | ||
| - tar -C /usr/local -xzf go1.22.3.linux-amd64.tar.gz | ||
| - export PATH=$PATH:/usr/local/go/bin | ||
| - license_finder --decisions_file ./docs/dependency_decisions.yml --enabled-package-managers gomodules | ||
|
|
||
| iac: | ||
| stage: test | ||
| image: bridgecrew/checkov:3.2.98@sha256:2a280191e5b9e3890c7b64013955b48870e7e2a6fb5ae10a558d03b3aa81510b | ||
| script: | ||
| - checkov -d . --quiet | ||
|
|
||
| tag: | ||
| stage: tag | ||
| needs: [] | ||
| dependencies: [] | ||
| script: | ||
| - | | ||
| if [ -n "$CI_COMMIT_TAG" ]; then | ||
| # Set IMAGE_TAG if the pipeline was triggered by a tag | ||
| echo "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG" > image-tag.txt | ||
| else | ||
| # Set IMAGE_TAG if the pipeline was triggered by a push to main | ||
| branch=$(echo $CI_COMMIT_REF_NAME | sed 's/\//-/g') | ||
| sha=${CI_COMMIT_SHORT_SHA} | ||
| ts=$(date +%s) | ||
| echo "$CI_REGISTRY_IMAGE:${branch}-${sha}-${ts}" > image-tag.txt | ||
| fi | ||
| artifacts: | ||
| paths: | ||
| - image-tag.txt | ||
| only: | ||
| - main | ||
| - tags | ||
|
|
||
| .oci:login: | ||
| stage: test | ||
| script: | ||
| - &oci_login | | ||
| export VERSION="1.1.0" | ||
| export ORAS_SHASUM="e09e85323b24ccc8209a1506f142e3d481e6e809018537c6b3db979c891e6ad7" | ||
| curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz" | ||
| echo "${ORAS_SHASUM} oras_${VERSION}_linux_amd64.tar.gz" | sha256sum -c - | ||
| mkdir -p oras-install/ | ||
| tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/ | ||
| mv oras-install/oras /usr/local/bin/ | ||
| rm -rf oras_${VERSION}_*.tar.gz oras-install/ | ||
| echo "$CI_JOB_TOKEN" | oras login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin | ||
| except: | ||
| variables: | ||
| - $CI_PIPELINE_SOURCE == "schedule" | ||
|
|
||
| oci:build: | ||
| stage: build | ||
| needs: [tag, secret-scanning, static-application-security-testing, software-composition-analysis, gotest, license-compliance, iac] | ||
| dependencies: ["tag"] | ||
| image: | ||
| name: gcr.io/kaniko-project/executor:v1.22.0-debug@sha256:7b3699e9e105521075812cd3f3f4c62c913cb5cd113c929975502022df3bcf60 | ||
| entrypoint: [""] | ||
| script: | ||
| - /kaniko/executor --digest-file=digest.txt --cleanup --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $(cat image-tag.txt) | ||
| artifacts: | ||
| paths: | ||
| - digest.txt | ||
| when: on_success | ||
| only: | ||
| - main | ||
| - tags | ||
| except: | ||
| variables: | ||
| - $CI_PIPELINE_SOURCE == "schedule" | ||
|
|
||
| container-scanning: | ||
| stage: container-scanning | ||
| needs: ["oci:build", "tag"] | ||
| dependencies: | ||
| - oci:build | ||
| - tag | ||
| image: alpine:3.19.1@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b | ||
| before_script: | ||
| # download oras and login to the registry | ||
| - apk add --update curl | ||
| - *oci_login | ||
| - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.50.4 | ||
| script: | ||
| - trivy image --exit-code 1 --severity CRITICAL --no-progress $(cat image-tag.txt)@$(cat digest.txt) | ||
| only: | ||
| - main | ||
| - tags | ||
| except: | ||
| variables: | ||
| - $CI_PIPELINE_SOURCE == "schedule" | ||
|
|
||
| sbom: | ||
| image: alpine:3.19.1@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b | ||
| before_script: | ||
| - apk add --update curl | ||
| - *oci_login | ||
| - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | ||
| stage: publish | ||
| needs: ["oci:build", "tag"] | ||
| dependencies: | ||
| - oci:build | ||
| - tag | ||
| script: | ||
| - syft $(cat image-tag.txt)@$(cat digest.txt) -o cyclonedx-json=sbom.json | ||
| artifacts: | ||
| paths: | ||
| - sbom.json | ||
| only: | ||
| - main | ||
| - tags | ||
| except: | ||
| variables: | ||
| - $CI_PIPELINE_SOURCE == "schedule" | ||
|
|
||
| sign-image: | ||
| stage: sign | ||
| needs: ['oci:build', 'tag'] | ||
| dependencies: | ||
| - oci:build | ||
| - tag | ||
| image: alpine:3.19.1@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b | ||
| before_script: | ||
| - apk add --update cosign | ||
| - apk add --update curl | ||
| - *oci_login | ||
| script: | ||
| - cosign sign --yes --key $COSIGN_PRIVATE_KEY "$(cat image-tag.txt)@$(cat digest.txt)" | ||
| only: | ||
| - main | ||
| - tags | ||
| except: | ||
| variables: | ||
| - $CI_PIPELINE_SOURCE == "schedule" | ||
|
|
||
| sign-sbom: | ||
| stage: sign | ||
| needs: ["oci:build", 'tag', 'sbom'] | ||
| dependencies: | ||
| - oci:build | ||
| - tag | ||
| - sbom | ||
| image: alpine:3.19.1@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b | ||
| before_script: | ||
| - apk add --update cosign | ||
| - apk add --update curl | ||
| - *oci_login | ||
| script: | ||
| - cosign attest --yes --predicate ./sbom.json --key $COSIGN_PRIVATE_KEY "$(cat image-tag.txt)@$(cat digest.txt)" | ||
| only: | ||
| - main | ||
| - tags | ||
| except: | ||
| variables: | ||
| - $CI_PIPELINE_SOURCE == "schedule" |
26 changes: 26 additions & 0 deletions
26
ozgsec-best-practice-scanner-main/.gitlab/issue_templates/bug-en.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| # Error report template | ||
|
|
||
| ## Title of the error | ||
| Short, precise description of the error. | ||
|
|
||
| ## Location of the error | ||
| Describe where the error occurred. Is it an error in the application, the documentation, or elsewhere? | ||
|
|
||
| ## Description of the error | ||
| A detailed description of the error and how you came across it. Is the error reproducible? If yes, how? | ||
|
|
||
| ## Screenshot(s) | ||
| Include screenshots that visualise the error. This is particularly useful for layout issues or if the context is important for understanding the error. | ||
|
|
||
| ## Effects of the error | ||
| Describe the impact of the error on the user experience or functionality of the project. | ||
|
|
||
| ## Suggestions for correction | ||
| If you have any suggestions on how to fix the bug, please share them here. | ||
|
|
||
| ## Additional information / comments | ||
| Here you can add any additional information or specific comments that may be relevant to identifying or correcting the bug. | ||
|
|
||
| --- | ||
|
|
||
| Your accurate and precise description of the error will help us to continuously improve the quality of this project. Thank you for your contribution! |
26 changes: 26 additions & 0 deletions
26
ozgsec-best-practice-scanner-main/.gitlab/issue_templates/bug.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| # Fehlerreport Template | ||
|
|
||
| ## Titel des Fehlers | ||
| Kurze, präzise Beschreibung des Fehlers. | ||
|
|
||
| ## Ort des Fehlers | ||
| Beschreiben Sie, wo der Fehler aufgetreten ist. Handelt es sich um einen Fehler in der Anwendung, der Dokumentation oder an anderer Stelle? | ||
|
|
||
| ## Beschreibung des Fehlers | ||
| Eine detaillierte Beschreibung des Fehlers und wie Sie darauf gestoßen sind. Ist der Fehler reproduzierbar? Wenn ja, wie? | ||
|
|
||
| ## Screenshot(s) | ||
| Fügen Sie Screenshots bei, die den Fehler visualisieren. Dies ist besonders nützlich bei Layout-Problemen oder wenn der Kontext für das Verständnis des Fehlers wichtig ist. | ||
|
|
||
| ## Auswirkungen des Fehlers | ||
| Beschreiben Sie die Auswirkungen des Fehlers auf die Benutzererfahrung oder Funktionalität des Projekts. | ||
|
|
||
| ## Vorschläge zur Korrektur | ||
| Falls Sie Vorschläge zur Behebung des Fehlers haben, teilen Sie diese bitte hier mit. | ||
|
|
||
| ## Zusätzliche Informationen / Anmerkungen | ||
| Hier können Sie weitere Informationen oder spezielle Anmerkungen hinzufügen, die für die Identifizierung oder Korrektur des Fehlers relevant sein könnten. | ||
|
|
||
| --- | ||
|
|
||
| Durch Ihre genaue und präzise Fehlerbeschreibung helfen Sie uns, die Qualität unseres Projekts kontinuierlich zu verbessern. Vielen Dank für Ihren Beitrag! |
23 changes: 23 additions & 0 deletions
23
ozgsec-best-practice-scanner-main/.gitlab/issue_templates/feature-en.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| # Feature Template | ||
|
|
||
| ## Title of the request | ||
| Short, precise description of the desired further development or customisation. | ||
|
|
||
| ## Detailed description | ||
| A detailed description of what is to be changed or added. Please explain the purpose and expected benefit of this request. | ||
|
|
||
| ## Justification of the request | ||
| Explain why this enhancement or customisation is important for the project. This could be an improvement to the user experience or functionality. | ||
|
|
||
| ## Proposed implementation (optional) | ||
| If you have suggestions or ideas on how this request could be implemented, please describe them here. This can include designs, technical details or examples of similar implementations. | ||
|
|
||
| ## Possible impact | ||
| Describe what impact this change could have on the overall project or its users. This includes both positive and possible negative consequences. | ||
|
|
||
| ## Additional information / notes | ||
| Add any additional information here that may be relevant to understanding or evaluating your request. | ||
|
|
||
| --- | ||
|
|
||
| Your detailed and well-reasoned enquiry is very helpful to us. Thank you for your contribution and ideas! |
24 changes: 24 additions & 0 deletions
24
ozgsec-best-practice-scanner-main/.gitlab/issue_templates/feature.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| # Weiterentwicklungs-/Anpassungsanfrage Template | ||
|
|
||
| ## Titel der Anfrage | ||
| Kurze, präzise Beschreibung der gewünschten Weiterentwicklung oder Anpassung. | ||
|
|
||
| ## Detaillierte Beschreibung | ||
| Eine ausführliche Beschreibung dessen, was geändert oder hinzugefügt werden soll. Bitte erläutern Sie den Zweck und den erwarteten Nutzen dieser Anfrage. | ||
|
|
||
| ## Begründung der Anfrage | ||
| Erklären Sie, warum diese Weiterentwicklung oder Anpassung wichtig für das Projekt sind. Dies kann etwa eine Verbesserung der Benutzererfahrung oder einer Funktionalität sein. | ||
|
|
||
| ## Vorgeschlagene Umsetzung (optional) | ||
| Wenn Sie Vorschläge oder Ideen haben, wie diese Anfrage umgesetzt werden könnte, beschreiben Sie diese bitte hier. Dies kann Entwürfe, technische Details oder Beispiele ähnlicher Umsetzungen beinhalten. | ||
|
|
||
| ## Mögliche Auswirkungen | ||
| Beschreiben Sie, welche Auswirkungen diese Änderung auf das Gesamtprojekt oder seine Benutzer haben könnte. Dies umfasst sowohl positive als auch mögliche negative Konsequenzen. | ||
|
|
||
| ## Zusätzliche Informationen / Anmerkungen | ||
| Fügen Sie hier zusätzliche Informationen hinzu, die für das Verständnis oder die Bewertung Ihrer Anfrage relevant sein könnten. | ||
|
|
||
| --- | ||
|
|
||
| Ihre detaillierte und gut begründete Anfrage hilft uns sehr. Wir danken Ihnen für Ihren Beitrag und Ihre Ideen! | ||
|
|
22 changes: 22 additions & 0 deletions
22
ozgsec-best-practice-scanner-main/.gitlab/issue_templates/security-advisory-en.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Security advisory | ||
|
|
||
| If known, please provide the following information: | ||
|
|
||
| - Common Vulnerabilities and Exposures (CVE) identifier: | ||
| - Common weakness enumerator (CWE): | ||
|
|
||
| ## Impact | ||
|
|
||
| What type of vulnerability is this? Who is affected? | ||
|
|
||
| ## Patches | ||
|
|
||
| Has the issue been patched? Which versions should users update to? | ||
|
|
||
| ## Workarounds | ||
|
|
||
| Is there a way for users to fix the vulnerability without upgrading? | ||
|
|
||
| ## References | ||
|
|
||
| Are there links that users can visit to learn more? |
22 changes: 22 additions & 0 deletions
22
ozgsec-best-practice-scanner-main/.gitlab/issue_templates/security-advisory.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Sicherheitshinweis | ||
|
|
||
| Falls bekannt, geben Sie bitte die folgenden Informationen an: | ||
|
|
||
| - Common Vulnerabilities and Exposures (CVE) identifier: | ||
| - Common weakness enumerator (CWE): | ||
|
|
||
| ## Auswirkungen | ||
|
|
||
| Um welche Art von Schwachstelle handelt es sich? Wer ist betroffen? | ||
|
|
||
| ## Patches | ||
|
|
||
| Wurde das Problem gepatcht? Auf welche Versionen sollten Benutzer aktualisieren? | ||
|
|
||
| ## Workarounds | ||
|
|
||
| Gibt es eine Möglichkeit für Benutzer, die Schwachstelle zu beheben, ohne ein Upgrade durchzuführen? | ||
|
|
||
| ## Referenzen | ||
|
|
||
| Gibt es Links, die Benutzer besuchen können, um mehr zu erfahren? |
Oops, something went wrong.